SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

INTERNET STORM CENTER TECH CORNER

The State of Security Operations With IDC and Splunk. Does your organization have the processes in place to investigate and effectively respond to cyberattacks? IDC surveyed security decision makers at 600 organizations to understand the state of security operations today. Join this webinar to learn why an analytics-driven approach can make security investigation more efficient and effective, reducing costs and improving security posture. http://www.sans.org/info/198325

TOP OF THE NEWS

--Equifax CEO Invited to Testify Before Congress
(September 13, 2017)

The US House Energy and Commerce Committee has formally invited Equifax Chairman and CEO Richard F. Smith to testify before Congress on October 3. Other congressional committees are also planning hearings on the Equifax breach.

[Editor Comments]
[Pescatore] We can now tick off 3 of the four predictable "Post Mega-Breach Cha Cha" dance steps; only some C-level firings are left. The final stage is usually just a lot of clicking of the "Like" button - "slacktivism" and no movement forward. Use the publicity tailwind to gain C-level support to make changes.
[Murray] One hopes that this will not be merely one more public shaming of a hapless executive. This industry is the, perhaps unintended, creature of the Fair Credit Reporting Act. It deals in hearsay, not to say slander, which it is manifestly unable to control or protect. It represents an unacceptable risk to the identity, reputation, and privacy of American consumers. The Law desperately needs reform and that reform should be the focus of congressional hearings.
[Northcutt] One of the topics needs to be the problems citizens are running into trying to freeze their own credit reports. It is what most security experts recommend, but the credit brokers are overwhelmed. Don't give up, keep trying, keep notes and let your elected officials know if you ran into problems:https://www.usatoday.com/story/money/2017/09/13/equifax-data-breach-tried-freeze-my-credit-there-were-problems/663014001/
[Guest Editor: Lance Spitzner] Here is information you can use to build an email template to inform your organization's workforce about the incident:https://securingthehuman.sans.org/blog/2017/09/08/awareness-officers-what-to-communicate-about-the-equifax-hack

--Some US States Are Going Back to Paper Ballots
(September 11 & 13, 2017)

In the wake of rising concerns about the security of electronic voting systems, several US states are returning to the use of paper ballots for their elections. Virginia and Iowa have established post-election audit requirements that compare electronic vote totals with paper ballots. Just five states - Delaware, Georgia, Louisiana, New Jersey, and North Carolina - use exclusively electronic voting systems. Georgia will pilot a paper-ballot system in elections this fall.

[Editor Comments]
[Neely] Falling back to paper removes the electronic voting machine vulnerabilities, allows states to return to a system where they know how to mitigate the vulnerabilities and allows the electronic systems to mature. This also restores the paper record of each ballot cast, while leveraging electronic readers to count those votes. The challenge will be agreement on the re-entry condition for a secure paperless voting system.

The US Department of Homeland Security (DHS) has issued a binding operational directive (BOD) requiring all federal agencies to cease the use of Kaspersky Lab products and services. The agencies have 30 days to identify which products are in use and then 60 days beyond that to create plans to remove them. After 90 days, agencies will need to begin the process of removing the products and services.

[Editor Comments]
[Pescatore] The risk cited by DHS aren't in Kaspersky's products, it is in "the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks." Many US and Israeli security product and services companies have those same ties to, and abide by laws dictating cooperation with, their own national intelligence agencies. Bottom line: for enterprises and non-Federal Executive Branch departments and agencies not under this directive, there is no current reason for out of cycle replacement of Kaspersky products.

THE REST OF THE WEEK'S NEWS

Google has removed 50 apps from the GooglePlay Store because they contained malware that sends premium SMS messages without user consent and registers users for paid services. The free apps, which masqueraded as wallpaper, camera, and video editing apps, have been downloaded between 1 and 4.2 million times.

[Editor Comments]
[Pescatore] As far back as 2011, Google put out technical papers on detecting malware that was using packing/encrypting to evade detection. They were granted a patent for one technique just last year. Google has been quick to upgrade the protections in the Google Play app store process but looks like they've had a blind spot here for quite some time.
[Neely] The malware embedded in these applications is using advanced obfuscation techniques that make it much harder to detect. The tradeoffs made between application validation and timely release of new and updated apps in the Google Play Store allow for a certain amount of maleficence to slip through. If youre running the latest Android OS, Google Play Protect will remove applications like this when identified. Older device owners have to rely on adding anti-malware applications to their devices. If your device isnt already running Android 7.1 or 8, or prompting you to apply the update to those versions, its time to replace it. Chris Crowley and Joshua Wright have put together a scorecard and processes which can be used to evaluate mobile applications.https://github.com/joswr1ght/MobileAppReportCard

Senator Ron Wyden, (D-Oregon) has written to CEOs of major telecommunications companies, asking them to what they are doing to protect their systems from vulnerabilities presented by the Signaling System 7 (SS7) protocols. SS7 allows mobile networks to communicate with each other. Wyden asked the companies to answer a number of questions, including whether they are having SS7-focused penetration tests conducted and whether they have installed an SS7 firewall. Wyden has requested responses by October 13.

Equifax has acknowledged that the massive breach that exposed personal information of as many as 143 million people was due to a failure to apply a patch for a vulnerability in Apache Struts. A patch for the flaw was released on March 6, 2017. The Equifax breach occurred in "mid-May" 2017.

[Editor Comments]
[Pescatore] This breach and WannaCry were just the most recent examples that "Security Hygiene Matters!" Back in 2002, Microsoft shut down the Windows division for a "security push" and put the keyboards down to focus on security of existing code before doing anything related to new features or new releases. It really is time for CIOs, CISOs and IT operations to be forced to do the same for configuration and vulnerability management Critical Security Controls processes.
[Neely] There are situations in which the possible business impact of applying a patch versus the risk of exploit has come down in favor of minimizing impact to the business. As a result of this disclosure, regulators are now making queries to ensure that CVE-2017-5638 and CVE-2017-9805 are patched, which puts efforts on reporting and tracking a specific potential weakness. Rather than second guessing what happened to Equifax, or debating exactly which threat vector was successfully exploited, this is a time to revisit your patching and vulnerability scanning processes to make sure that youre not missing patches, mitigations or supporting processes.

The American Civil Liberties Union (ACLU), ACLU of Massachusetts, and the Electronic Frontier Foundation (EFF) have filed a lawsuit against the US Department of Homeland Security (DHS) on behalf of 11 plaintiffs over warrantless searches of their digital devices at the US border. The plaintiffs, 10 US citizens and one lawful permanent resident, had their laptops and cell phones searched when they re-entered the US from traveling abroad. In some cases, the devices were retained for extended periods of time; one, confiscated in January, 2017, has yet to be returned. None of the plaintiffs has been charged with wrongdoing.

--Adobe Security Updates
(September 13, 2017)

Adobe has released updates to address security issues in Flash Player, ColdFusion, and RoboHelp for Windows. The Flash updates, available for Windows, Mac, Linux, and Chrome OS, address two critical memory corruption flaws. The ColdFusion update includes fixes for four flaws, and the RoboHelp update fixes two flaws.

--WordPress Plugin Installs Backdoor
(September 13 & 14, 2017)

A WordPress plugin that has been downloaded more than 200,000 times has been found to install backdoors on websites. The malicious code has been found in DisplayWidgets plugin versions 2.6.1 through 2.6.3. The plugin has been removed from the WordPress plugin repository. DisplayWidgets has previously been removed three times for similar infractions.

--BlueBorne Bluetooth Attack
(September 12 & 13, 2017)

A group of eight exploits, collectively dubbed BlueBorne, could be used to access devices that use Bluetooth. Attackers can use BlueBorne to access a device and control its screen and applications. Apple devices running iOS 10 and newer are not vulnerable to BlueBorne. Microsoft patched the flaws in Windows in July, and Google released a patch last month.

A dozen vulnerabilities in D-Link routers have been disclosed before the company has had time to develop and release patches. Ten of the flaws were disclosed without any prior notification to D-Link. The other two flaws were reported to the company, which has yet to issue patches for them.